Skip to content
GitLab

Fails to set up UDP with AnyConnect when latest crypto-policies is installed

On openSUSE Tumbleweed (20210510), openconnect will fail with the following message when trying to setup UDP connection with Cisco AnyConnect.

...
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-MTU : 1406
DTLS option X-DTLS-CipherSuite : DHE-RSA-AES256-SHA
Failed to set DTLS priority: 'NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-256-CBC:+SHA1:+DHE-RSA:%COMPAT': No or insufficient priorities were set.
Set up UDP failed; using SSL instead
Connected as x.x.x.x, using SSL, with DTLS disabled
...

I believe this is due to the fact that with redhat-crypto/fedora-crypto-policies!91 (merged) DTLS 0.9 is now (correctly) disabled system-wide, thus gnutls_priority_set_direct(..., "NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-256-CBC:+SHA1:+DHE-RSA:%COMPAT") returns GNUTLS_E_NO_PRIORITIES_WERE_SET.

I do not know any good work-around. Currently I remove the disabled-version = DTLS0.9 line in /etc/crypto-policies/back-ends/gnutls.config to get DTLS working again, but that's probably not the best idea. Alternatively update-crypto-policies --set LEGACY could work as well, but that's probably an even worse idea.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information